9091 |
2021-06-22 09:41
|
dl.php.doc 2775135ed5569787e253e62a238b1358 Gen2 OS Processor Check MSOffice File unpack itself DNS |
|
|
|
|
1.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9092 |
2021-06-22 09:42
|
dl.php.vbs 45ad07c4795ff6b95f6b5c60b9fa8fc2crashed |
|
|
|
|
0.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9093 |
2021-06-22 09:43
|
M0031.cab 3b211b5eb6787043deba29c207c37bb0 Escalate priviledges KeyLogger AntiDebug AntiVM suspicious privilege Check memory Checks debugger unpack itself DNS |
|
|
|
|
2.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9094 |
2021-06-22 10:18
|
file.exe e0c4171c0bb82cf52647b0ccbfd6f3e3 Generic Malware Admin Tool (Sysinternals etc ...) PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows Remote Code Execution crashed |
|
|
|
|
3.4 |
|
33 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9095 |
2021-06-22 11:14
|
tbCgXlQIMjI1kIcB.jpg.ps1 55dae81112baf10e1cdbfad99c922ce8 Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows DNS Cryptographic key |
|
|
|
|
2.0 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9096 |
2021-06-22 11:20
|
GT2pFbB.dll 4e5fc6111da7ec4512257864ded2f43b Generic Malware UPX Malicious Library PE File PE64 DLL VirusTotal Malware crashed |
|
|
|
|
1.2 |
|
5 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9097 |
2021-06-22 12:14
|
purchase order.exe 43955364f71a38a2af68a9c85ce5c7af AsyncRAT backdoor PWS .NET framework Generic Malware Malicious Packer SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS crashed |
|
|
|
|
12.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9098 |
2021-06-22 12:20
|
BNTS_CHT_ONLNE.msi 22d9cae00205d10fdddde71ca75ebc02 Gen2 Antivirus OS Processor Check MSOffice File VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName DNS |
|
|
|
|
3.0 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9099 |
2021-06-22 13:54
|
プロフォーマインボイス pdf.exe 88b341b9e1d4b70baaa827d7b06e2456 PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself anti-virtualization DNS |
1
http://detectportal.firefox.com/success.txt?ipv4
|
4
detectportal.firefox.com(34.107.221.82) prod.detectportal.prod.cloudops.mozgcp.net(34.107.221.82) mozilla.org(44.236.48.31) 34.107.221.82
|
|
|
3.2 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9100 |
2021-06-22 15:24
|
プロフォーマインボイス pdf.exe 88b341b9e1d4b70baaa827d7b06e2456 Admin Tool (Sysinternals etc ...) PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself anti-virtualization |
|
|
|
|
2.2 |
|
19 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9101 |
2021-06-22 15:31
|
http://122.114.198.100/www/vbc... 5beae2f6cea2c9f92ab4e2b34dfac0d4 PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downlo Malware download VirusTotal Malware Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed Downloader |
1
http://122.114.198.100/www/vbc.exe
|
1
122.114.198.100 - malware
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.0 |
|
35 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9102 |
2021-06-22 18:08
|
................................. f418946469f4edf5fd007c9767eeb14b RTF File doc LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://103.125.191.125/http/vbc.exe http://bnbrokenhead.cf/Bn4/fre.php
|
3
bnbrokenhead.cf(104.21.2.166) 103.125.191.125 172.67.186.250
|
15
ET INFO DNS Query for Suspicious .cf Domain ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.cf Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
4.4 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9103 |
2021-06-22 18:09
|
vbc.exe 357e95c47c4b8666b0fe33277a37f376 PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself Remote Code Execution DNS crashed |
|
|
|
|
3.4 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9104 |
2021-06-22 18:10
|
vbc.exe 8da587a72663d0312b35d53f4d45735c PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder installed browsers check Browser Email ComputerName DNS Software |
1
http://bnbrokenhead.cf/Bn4/fre.php
|
2
bnbrokenhead.cf(172.67.186.250) 104.21.2.166
|
9
ET INFO DNS Query for Suspicious .cf Domain ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.cf Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
8.2 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9105 |
2021-06-22 18:13
|
prince_of_persia_P_v4_x86.exe 28906318e1bfa9949cd086e807a0f220 AsyncRAT backdoor Generic Malware PE File OS Processor Check PE32 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
20
https://nidhoggr.club/slither/overnoise/infiltrator/giulietta/collapsar/2ee38670-d342-4fec-99b0-a4f7f4bea0e4/?poP7OSkLBNturHY https://nidhoggr.club/jasmina/jaquenette/obscure/dull/dormant?strange=cheerless5039d36f-1fe0-46d6-a3bc-d0d81257b6fe/?poP7OSkLBNturHY https://nidhoggr.club/slither/overnoise/infiltrator/giulietta/collapsar/ https://nidhoggr.club/noised/noiseful/malicious/drab/unbeaten/shadow/39152ab9-6ffb-4b19-811e-e9538a897d93/?poP7OSkLBNturHY https://nidhoggr.club/issie/furtive/Hyacintha/noise/undiscovered/hazardous/Ivette?Adelina=noised994b6e21-8a8f-4128-bfc4-7637963c9483/?poP7OSkLBNturHY https://nidhoggr.club/turbulent/Ivette/nova/dull/fighter?fading=isabellaff06fa1a-1992-43ef-9704-2913c9b2299e/?poP7OSkLBNturHY https://nidhoggr.club/dreary/dull/Isahella/isobel/cheerless/dull/cheerless/noisefulness/counternoise?spy=champion7312d3e3-fe83-4e36-a09f-2faea02ce400/?poP7OSkLBNturHY https://nidhoggr.club/isabelle/Hulda/dark/isabella?crepuscular=isadoradcc4d3c3-0e97-40ed-98bc-e856a5c2f8ca/?poP7OSkLBNturHY https://nidhoggr.club/hilde/ghost/isabella/spy/corrosive/jasmin/steel/jaquenetta?corrosive=hazardousd1cdbebf-220a-4726-87c6-1c3855c9c262/?poP7OSkLBNturHY https://nidhoggr.club/Gizela/unrecognized/noiselessly/colorless/nova?Odilia=janayaeb53ebd1-51a1-41df-8408-4370caceac3e/?poP7OSkLBNturHY https://nidhoggr.club/dim/hildagarde/grey/Iseabal/7326892f-c4f3-4728-9b5e-a22d33c3b139/?poP7OSkLBNturHY https://nidhoggr.club/subreptice/corrosive/slither/evil/suzie/undiscovered/unbeaten/noiselessly/Isidora/noisemaking/ivy?giustina=dark10f9ba50-c5d1-4e00-ab9e-541e6144061f/?poP7OSkLBNturHY https://nidhoggr.club/Hildagard/ivory/spy/evil/Hyacintha/unrecognized/quiet/Hyacintha/ghost/dark/ae029445-9427-40f7-bb59-2b36300b52e6/?poP7OSkLBNturHY https://nidhoggr.club/hilde/ghost/isabella/spy/corrosive/jasmin/steel/jaquenetta?corrosive=hazardous1e58acfe-6387-4707-b70e-6e95181f902f/?poP7OSkLBNturHY https://nidhoggr.club/jaquelyn/stygian/corrosive/drab/jaquith/hyacinthe/hunter/Hope/winterly/joyless?colorless=iviee714bab2-5dfd-491a-a93f-d380656997c1/?poP7OSkLBNturHY https://nidhoggr.club/suzie/suzette/nuclear/unknown/metallic/discreet/undercover/dark?ivy=isis7da76ce4-eabc-48f5-b3df-769296a4b738/?poP7OSkLBNturHY https://nidhoggr.club/Gizela/ivie/jaquelyn/isabelita/Honor/noiseless/780990e3-289e-448e-9ae9-2674b0e3f3a2/?poP7OSkLBNturHY https://nidhoggr.club/noisefulness/Hyacinth/ballistic/hynda?silent=faultyc5390449-e189-426e-a0a4-7167c229cd83/?poP7OSkLBNturHY https://nidhoggr.club/issie/furtive/Hyacintha/noise/undiscovered/hazardous/Ivette?Adelina=noised1e38d28d-61d7-460d-a3f0-89548c65ef63/?poP7OSkLBNturHY https://nidhoggr.club/dolorous/sneaky/janaya/5055beb4-7979-414a-bfc0-644fa8e029fb/?poP7OSkLBNturHY
|
2
nidhoggr.club(185.112.146.165) - malware 185.112.146.165 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.4 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|